Ask HN: Advise for a self-taught budding programmer
I have been learning how to program on my own for sometime now. I have mostly been learning Java and Spring - I have some other reasons why I specifically chose these technologies. I have also been working on developing my own website that will be offering some services to clients in my home country.
On the front-end bit, I have identified Envato Market where, I think, I can find good and affordable designers. So, my first question, do we have alternatives to that?
Secondly, on hosting, what are the best practices bearing in mind the mentioned technologies above?
Thirdly, while I will not be able to afford an expert on security at this moment in time, what other options are available to me?
Thank you in advance.
9 comments
[ 3.3 ms ] story [ 27.5 ms ] threadLearn basic front-end skills. You can go a long way with just bootstrap, jquery and some nicely resized stock photographs. There's plenty of nice themes around for free or only an insignificant amount of money. Consider that you'll probably be competing on this front for the most part. This and your rate.
On hosting:
A $5/month VPS running Debian is cheap and can handle a decent amount of traffic.
On security:
You don't need a security expert unless you're dealing with highly sensitive information. Follow the best practices on: https://www.owasp.org/index.php/Main_Page Remember to sanitize all user input. Remember to be extra careful when you are serving user input to other users.
• Whitelist user input where possible, do not try to blacklist known dangerous characters. There are too many conflicting rendering ideologies for HTML between Chrome, Firefox and Internet Explorer for this to be feasible. For example, a language parameter's value in a POST request to change user settings should be whitelisted to things like "en" - there is no reason to allow "%0aSet-Cookie:%20", which could cause HTTP Header Injection. Absolutely do not try to be clever and sanitize specific tags like "<script>"
• Thoroughly escape dangerous characters if they must be represented. Use a well-tested library for this, do not try to roll your own.
• Do not allow user-input for filenames, especially if the file needs to be uploaded to a privileged directory (also avoid, where possible).
OWASP is unfortunately an inconsistent guide at best. security.stackexchange and /r/netsec are better.
Security is aggressively difficult. OP, if you have any more specific security questions you're welcome to email me and I'll help you out, free of charge.
The absolute best thing you can do to help yourself with security right now as a self-taught programmer is to thoroughly familiarize yourself with:
1. The nuances of your chosen language, and
2. The best libraries for security, authentication and input handling in your chosen language and framework.
For example, if you are a Ruby programmer you should immediately know about e.g. the dangers of passing user input to send() and how Ruby's REGEX functions a bit differently than other languages. You should also know the best authentication libraries off the top of your head and make use of them instead of trying to reinvent the wheel.
Some notes:
- Default MySQL install listens only on loopback interface, so isn't exposed to the network (and if it's not in your case, you can change that in my.cnf)
- IPTables/NFTables can be used to whitelist allowed network traffic beyond HTTP/HTTPS
- SSH should be limited to public-key auth, with root login disabled as well as password auth disabled (or you can use 2 step verification with Google Authenticator, which is pretty easy to set up)
One thing I'll note is that I don't have Tomcat exposed directly to the internet: it's only exposed through an NGINX reverse proxy.
Apache Tomcat is fairly easy to download and set up (you can download the .tar.gz from Apache's website, untar, and run the executable ./bin/startup.sh).
I'd be happy to answer any questions really re: Java/Spring
As yet, I haven't touched anything other than a Windows machine. I was thus wondering whether, while your suggestions are very good and that is where I would ultimately have to end up in, in the meantime, could I learn the basics in a few weeks just so as to set-up everything correctly and thereafter expend more time in learning the finer details of such a set-up? If that is not possible then I will be forced to just go with a hosting provider that handles some of these stuff - at least in the beginning as I learn "everything".